Bug 150072

Summary: Device motion and orientation should only be visible from the main frame
Product: WebKit Reporter: Dean Jackson <dino>
Component: New BugsAssignee: Dean Jackson <dino>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dbates, dustin.kerstein, mkwst, _
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Dean Jackson
Reported 2015-10-12 18:32:56 PDT
Device motion and orientation should only be visible from the main frame
Attachments
Patch (7.67 KB, patch)
2015-10-12 19:10 PDT, Dean Jackson 		no flags
DetailsFormatted DiffDiff
Patch (8.60 KB, patch)
2015-10-13 13:40 PDT, Dean Jackson 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dean Jackson
Comment 1 2015-10-12 19:10:51 PDT
Created attachment 262966 [details] Patch
Dean Jackson
Comment 2 2015-10-12 19:24:25 PDT
<rdar://problem/23082036>
Brent Fulgham
Comment 3 2015-10-13 13:00:06 PDT
Comment on attachment 262966 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262966&action=review r=me. I think the duplicated test code could be a method, or perhaps even just a local variable, but the patch is fine as-is. > Source/WebCore/page/DOMWindow.cpp:1717 > + || (m_frame->mainFrame().document() && document()->securityOrigin()->canAccess(m_frame->mainFrame().document()->securityOrigin())))) { It seems like this test (which is repeated three times in this patch) could work as a DOMWindow method (e.g., "bool DOMWindow::frameDoesHaveCompatibleSecurityOriginToMainFrame()")
Dean Jackson
Comment 4 2015-10-13 13:40:44 PDT
Created attachment 263018 [details] Patch
Dean Jackson
Comment 5 2015-10-13 14:53:32 PDT
Committed r191008: <http://trac.webkit.org/changeset/191008>
Daniel Bates
Comment 6 2015-10-13 22:15:01 PDT
Comment on attachment 263018 [details] Patch Clearing review flag as this patch was already landed per comment 5.
Stephen Underwood
Comment 7 2016-01-06 00:23:44 PST
Hi Dean, Brent and Daniel, I was actively using device motion and orientation from a child frame. Is there a possibility of allowing an opt-in method for enabling access to device motion and orientation for the child frame? As from my perspective I will always be serving my content requiring the device motion and orientation from a separate domain but always over HTTPS. I noticed there is already an open ticket regarding such here https://bugs.webkit.org/show_bug.cgi?id=152299 Just wanted to raise some awareness as this is quite critical to my business needs. Kind Regards, Stephen Underwood
Note You need to log in before you can comment on or make changes to this bug.